A global biopharma’s journey from fragmented vendor oversight to intelligence-driven, continuous third-party risk management
Background and Context
As a global biopharmaceutical company dedicated to improving the lives of people suffering from severe autoimmune diseases and cancer, argenx operates in more than 30 countries with an extensive third-party ecosystem spanning manufacturing, CROs, IT service providers, and logistics partners. With shares traded on Euronext Brussels and Nasdaq (ARGX), argenx’s rapid clinical expansion and commercial launches created continuous demand for new vendor relationships and rapid onboarding cycles.
As the organization scaled, the limitations of its existing vendor risk management approach became untenable. Manual workflows and fragmented oversight no longer supported the complexity of managing 150+ critical vendors across 37+ countries—each subject to overlapping regulatory requirements across the EU, US, Japan, and other markets.
Business Challenges
argenx recognized critical structural gaps in their third-party risk management (TPRM) program early in their risk maturation journey. Key challenges included:
- No centralized TPRM platform — Multiple teams managed vendor relationships independently, with assessments stored in spreadsheets, shared drives, and email threads, creating inconsistent oversight.
- Static, point-in-time assessments — Traditional vendor due diligence was limited to pre-onboarding questionnaires that quickly became outdated, missing emerging risks between assessment cycles.
- No continuous monitoring capability — Without real-time threat intelligence, security teams had no visibility into vendor breaches, infrastructure changes, or emerging vulnerabilities between reviews.
- Fragmented risk visibility — Risk information scattered across departments made it impossible to aggregate, compare, or prioritize vendor risks at the portfolio level.
- Rapid vendor proliferation — Clinical expansion drove a surge in new vendor relationships, overwhelming existing assessment capacity and extending onboarding timelines.
- Inconsistent assessment methodology — Without standardized criteria, different teams applied different evaluation frameworks, making it difficult to compare risk levels across vendors or track changes over time.
Strategic Solution
A structured, intelligence-driven approach replaced fragmented spreadsheets and static questionnaires by combining real-time OSINT monitoring with deep-dive assessments on a unified, three-layer platform.
Layer 1: Automated Cyber Intelligence — Real-Time Continuous Monitoring
24/7 automated scanning of the external attack surface for all monitored vendors delivers instant alerts on emerging threats, including:
- Subdomain discovery and shadow IT detection
- Code leak detection on public repositories
- Typosquatting and look-alike domain monitoring
- Dark web monitoring for credential and data exposure
- SSL/TLS certificate analysis for misconfigurations
- CVE exposure mapping for prioritized remediation
All reconnaissance is external, non-intrusive, and requires no vendor participation. Results are delivered in 60 seconds as on-demand external attack surface snapshots, providing real-time visibility into what adversaries see and serving as an early warning layer ahead of a deeper, validated assessment.
Layer 2: Validated OSINT Intelligence — Pre-Assessment Vendor Profiles
Analyst-validated open-source intelligence provides contextualized vendor risk profiles before formal assessment begins, reducing assessment cycle time and ensuring resources are focused on the highest-risk areas.
Layer 3: Risk Qualification Engine — End-to-End Managed Assessment
Comprehensive, managed assessments covering 170+ security and compliance controls aligned with industry standards and pharmaceutical regulatory requirements, delivered by dedicated analysts with life sciences domain expertise.
Quantifiable Business Outcomes
Since deployment, the program has delivered measurable, enterprise-grade outcomes across argenx’s third-party risk management operations—transforming visibility, speed, and decision-making.
Operational Scale and Coverage
- 150+ vendors continuously monitored across the global portfolio
- 37+ countries covered across the vendor ecosystem
- 142 detailed vendor assessment reports delivered
- 8 custom risk frameworks deployed to meet argenx’s specific regulatory requirements
- 5 dedicated analysts supporting the program
Speed and Efficiency
- 60-second risk snapshots generated on demand for any vendor
- < 4-hour turnaround on initial pre-assessment reports
- 60% average reduction in vendor assessment cycle time
Real-World Impact: Proactive Threat Detection
During routine continuous monitoring, early indicators of ransomware activity targeting a mid-tier clinical data services vendor were detected. The automated OSINT layer flagged suspicious dark web mentions and credential exposure linked to the vendor’s infrastructure—enabling argenx to initiate remediation before the threat materialized into an incident.
Strategic Partnership Growth
The engagement evolved from an initial TPRM pilot into a comprehensive, multi-year strategic partnership, with potential to scale strategic value—demonstrating the measurable ROI and trust built through consistent delivery.
Extended Capabilities: AI Governance
The TPRM methodology extends to govern AI tools and models used across the enterprise and by third parties, covering four critical pillars:
- Inventory AI use cases across the organization and third-party ecosystem
- Assess against expanded frameworks, including data governance, model explainability, and bias controls
- Continuous AI vendor monitoring for compliance with emerging AI regulations
- Alignment with governance frameworks, including EU AI Act readiness and ethical AI criteria
High-Impact Takeaways
From Static Questionnaires to Continuous Intelligence
True vendor risk management requires moving beyond point-in-time assessments to real-time, continuous monitoring that detects threats as they emerge—not months after the fact.
A Three-Layer Model for Comprehensive Coverage
Combining automated OSINT, analyst-validated intelligence, and deep-dive managed assessments creates a defense-in-depth approach that scales with organizational growth and regulatory complexity.
Foundations for AI-Era Governance
As life sciences companies adopt AI across operations and clinical programs, extending proven risk management methodologies to cover AI-specific risks ensures responsible innovation without compromising compliance.
Rather than simply checking compliance boxes, this program established the continuous intelligence infrastructure required for a growing global biopharma to manage third-party risk with confidence—across every vendor, every country, and every regulatory jurisdiction.
“Today, you have to monitor continuously. You can’t let go of it. You’re always at risk. We work closely with USDM in a great partnership to develop our vendor governance and continuous monitoring approach.”
Olivier Melis, Senior Director of Head of DT eCompliance, argenx
